Files changes as per V3 tooling

Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml

@@ -0,0 +1,52 @@
+id: cb410ad5-6e9d-4278-b963-1e3af205d680
+name: SpyCloud Enterprise Breach Detection
+description: |
+  'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'
+severity: High
+status: Available
+queryFrequency: 12h
+queryPeriod: 12h
+triggerOperator: gt
+triggerThreshold: 0
+suppressionDuration: 5h
+tactics: 
+  - Credential Access
+relevantTechniques:
+  - T1555
+query: |
+  SpyCloudBreachDataWatchlist_CL
+  | where Severity_s == '20'
+  | project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 12h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride: null
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: Email_s
+  - entityType: Account		
+    fieldMappings:
+      - identifier: Name
+        columnName: Username_s
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IP_Address_s
+customDetails:
+  Document_Id: Document_Id_g
+  Password: Password_s
+  Password_Plaintext: Password_Plaintext_s
+  Source_Id: Source_Id_s
+  Domain: Domain_s
+  PublishDate: SpyCloud_Publish_Date_t
+sentinelEntitiesMappings: null
+version: 1.0.0
+kind: Scheduled

Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml

@@ -0,0 +1,71 @@
+id: 7ba50f9e-2f94-462b-a54b-8642b8c041f5
+name: SpyCloud Enterprise Malware Detection
+description: |
+  'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'
+severity: High
+status: Available
+queryFrequency: 12h
+queryPeriod: 12h
+triggerOperator: gt
+triggerThreshold: 0
+suppressionDuration: 5h
+tactics: 
+  - Credential Access
+relevantTechniques:
+  - T1555
+query: |
+  SpyCloudBreachDataWatchlist_CL
+  | where Severity_s == '25'
+  | project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, Infected_Machine_Id_g, Infected_Path_s, Infected_Time_t, Target_Domain_s, Target_SubDomain_s, User_Hostname_s, User_OS_s, Target_URL_s,IP_Address_s
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 12h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride: null
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: Infected_Machine_Id_g
+  - entityType: Host		
+    fieldMappings:
+      - identifier: HostName
+        columnName: User_Hostname_s
+  - entityType: Account		
+    fieldMappings:
+      - identifier: FullName
+        columnName: Email_s
+  - entityType: Account		
+    fieldMappings:
+      - identifier: Name
+        columnName: Username_s
+  - entityType: DNS		
+    fieldMappings:
+      - identifier: DomainName
+        columnName: Target_Domain_s
+  - entityType: DNS		
+    fieldMappings:
+      - identifier: DomainName
+        columnName: Target_SubDomain_s
+  - entityType: IP		
+    fieldMappings:
+      - identifier: Address
+        columnName: IP_Address_s
+customDetails:
+  Document_Id: Document_Id_g
+  Password: Password_s
+  Password_Plaintext: Password_Plaintext_s
+  Infected_Path: Infected_Path_s
+  Infected_Time: Infected_Time_t
+  Domain: Domain_s
+  Source_Id: Source_Id_s
+  PublishDate: SpyCloud_Publish_Date_t
+  User_Host_Name: User_Hostname_s
+sentinelEntitiesMappings: null
+version: 1.0.0
+kind: Scheduled

Solutions/SpyCloud Enterprise Protection/Data/Solution_Spycloud_Enterprise_Protection.json

@@ -0,0 +1,26 @@
+{
+    "Name": "SpyCloud Enterprise Protection",
+    "Author": "SpyCloud",
+    "Logo": "<img src=\"https://raw.githubusercontent.com/VukaHeavyIndustries/azure-sentinel/master/Logos/SpyCloud_Enterprise_Protection.svg\" width=\"75\" height=\"75\" >",
+    "Description": "Cybercriminals continue to utilize stolen corporate credentials as the number one technique for account takeover (ATO). In fact, the FBI estimated that this resulted in estimated losses totaling more than $2.7 billion in 2022. SpyCloud helps prevent account takeover and ransomware attacks by identifying exposed credentials related to a company’s domains, IP addresses and emails. Through this integration, breach and malware data from SpyCloud can be loaded into Sentinel.",
+    "Playbooks": [
+        "Playbooks/Custom Connector/azuredeploy.json",
+        "Playbooks/SpyCloud-Breach-Playbook/azuredeploy.json",
+        "Playbooks/SpyCloud-Get-Domain-Breach-Data-Playbook/azuredeploy.json",
+        "Playbooks/SpyCloud-Get-Email-Breach-Data-Playbook/azuredeploy.json",
+        "Playbooks/SpyCloud-Get-IP-Breach-Data-Playbook/azuredeploy.json",
+        "Playbooks/SpyCloud-Get-Password-Breach-Data-Playbook/azuredeploy.json",
+        "Playbooks/SpyCloud-Get-Username-Breach-Data-Playbook/azuredeploy.json",
+        "Playbooks/SpyCloud-Malware-Playbook/azuredeploy.json",
+        "Playbooks/SpyCloud-Monitor-Watchlist-Data/azuredeploy.json"
+    ],
+    "Analytic Rules": [
+        "Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml",
+        "Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml"
+    ],
+    "BasePath": "D:\\GitHub\\Azure-Sentinel\\Solutions\\SpyCloud Enterprise Protection",
+    "Version": "3.0.0",
+    "Metadata": "SolutionMetadata.json",
+    "TemplateSpec": true,
+    "Is1PConnector": false
+}

Solutions/SpyCloud Enterprise Protection/Package/createUiDefinition.json

@@ -0,0 +1,145 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+  "handler": "Microsoft.Azure.CreateUIDef",
+  "version": "0.1.2-preview",
+  "parameters": {
+    "config": {
+      "isWizard": false,
+      "basics": {
+        "description": "<img src=\"https://raw.githubusercontent.com/VukaHeavyIndustries/azure-sentinel/master/Logos/SpyCloud_Enterprise_Protection.svg\" width=\"75\" height=\"75\" >\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nCybercriminals continue to utilize stolen corporate credentials as the number one technique for account takeover (ATO). In fact, the FBI estimated that this resulted in estimated losses totaling more than $2.7 billion in 2022. SpyCloud helps prevent account takeover and ransomware attacks by identifying exposed credentials related to a company’s domains, IP addresses and emails. Through this integration, breach and malware data from SpyCloud can be loaded into Sentinel.\n\n**Analytic Rules:** 2, **Custom Azure Logic Apps Connectors:** 1, **Playbooks:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "subscription": {
+          "resourceProviders": [
+            "Microsoft.OperationsManagement/solutions",
+            "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+            "Microsoft.Insights/workbooks",
+            "Microsoft.Logic/workflows"
+          ]
+        },
+        "location": {
+          "metadata": {
+            "hidden": "Hiding location, we get it from the log analytics workspace"
+          },
+          "visible": false
+        },
+        "resourceGroup": {
+          "allowExisting": true
+        }
+      }
+    },
+    "basics": [
+      {
+        "name": "getLAWorkspace",
+        "type": "Microsoft.Solutions.ArmApiControl",
+        "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+        "condition": "[greater(length(resourceGroup().name),0)]",
+        "request": {
+          "method": "GET",
+          "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+        }
+      },
+      {
+        "name": "workspace",
+        "type": "Microsoft.Common.DropDown",
+        "label": "Workspace",
+        "placeholder": "Select a workspace",
+        "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+        "constraints": {
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "required": true
+        },
+        "visible": true
+      }
+    ],
+    "steps": [
+      {
+        "name": "analytics",
+        "label": "Analytics",
+        "subLabel": {
+          "preValidation": "Configure the analytics",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Analytics",
+        "elements": [
+          {
+            "name": "analytics-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+            }
+          },
+          {
+            "name": "analytics-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+              }
+            }
+          },
+          {
+            "name": "analytic1",
+            "type": "Microsoft.Common.Section",
+            "label": "SpyCloud Enterprise Breach Detection",
+            "elements": [
+              {
+                "name": "analytic1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This alert creates an incident when an malware record is detected in the SpyCloud watchlist data"
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic2",
+            "type": "Microsoft.Common.Section",
+            "label": "SpyCloud Enterprise Malware Detection",
+            "elements": [
+              {
+                "name": "analytic2-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This alert creates an incident when an malware record is detected in the SpyCloud watchlist data"
+                }
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "name": "playbooks",
+        "label": "Playbooks",
+        "subLabel": {
+          "preValidation": "Configure the playbooks",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Playbooks",
+        "elements": [
+          {
+            "name": "playbooks-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+            }
+          },
+          {
+            "name": "playbooks-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+              }
+            }
+          }
+        ]
+      }
+    ],
+    "outputs": {
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+      "location": "[location()]",
+      "workspace": "[basics('workspace')]"
+    }
+  }
+}